On Monday, August 28, 2017 at 6:36:08 PM UTC-4, Leo Gaspard wrote: > Just encrypting /boot would bring little, as it would still be possible > to modify the unencrypted part of GRUB (that decrypts /boot) to have it > overwrite the /boot with malicious kernel images (or even to not use the > ones provided). > > The options I know of are (from IMO strongest to weakest): > * AEM, for knowing when someone tampered with /boot > * SecureBoot, for restricting the allowed-to-boot images (I don't know > about its ease of use with qubes, though) > * locking your bootloader with a password and disallow external boot > > I'd think having all these protections at the same time would be best, > using secureboot mostly to avoid having to ditch the laptop after AEM > says it's no longer trustworthy (because it may stop the attacker before > it can even make the laptop no longer trustworthy). > > > On 08/28/2017 09:48 PM, Unman wrote: > > On Sat, Aug 26, 2017 at 08:39:23AM -0700, > > cyberian@national.shitposting.agency wrote: > >> Does Qubes offer a method of securing /boot? not just against USB evil > >> maid attacks, but from tampering in general? > >> > >> for example, while a laptop is off, what would stop a malicious user from > >> live booting to an arbitrary distro and altering kernel or xen images > >> located on the unencrypted /boot partition? > >> > >> Does qubes offer options for encrypting /boot? > >> > > > > The Fedora installer wont allow an encrypted boot partition, but there's > > nothing stopping you from encrypting /boot after installation. You will, > > of course, have to reconfigure grub to decrypt the new /boot, but that's > > straightforward. > > > > > >
secureboot can do more then restricting boot images, it can restrict unsigned drivers too. Thats the part Joanna doesn't like because she does not trust who will maintain the list of signed drivers. I say I'm already putting just as much trust into alot of other things like my banks ssl cert when connecting to my bank account. We are already trusting everything coming from upstream when we update... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/17709195-8382-493a-abe0-3fe3d5b5c713%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
